Advancing Privacy & Security Practices Through an Organization Wide

Information Governance Program

April 5, 20172 pm – 3 pm ET

Agenda

• Welcome and Introductions – Claudia Ellison, Program Director, eHealth Initiative

• Discussion & Comments – Katherine Downing, MA, RHIA, CHPS, PMP, Senior Director,

IGAdvisors®, at the American Health Information Management Association (AHIMA)

– Barb Beckett, RHIT, CHPS, Systems Privacy Officer, St. Luke's Health System

– Judi Hofman, Northwest Regional Privacy Officer, Catholic Health Initiative

• Questions & Answers from Audience

Housekeeping Issues

• All participants are muted• To ask a question or make a comment, please submit via the chat feature and we will

address as many as possible after the presentations.

• Technical difficulties:– Use the chat box and we will respond as soon as possible

• Questions & Answers– Use the Q&A

• Today’s slides will be available for download on the eHI Resource page at: https://www.ehidc.org/resources/eventsummaries

Overview of eHealth Initiative

• Since 2001, eHealth Initiative (c6) and the Foundation for eHealth Initiative (c3) have conducted research, education and advocacy to demonstrate the value of technology and innovation in health.

• Serve as the industry leader convening executives from multi-stakeholder groups to identify best practices to transform care through use of health IT

• The missions of the two organizations are the same: to drive improvement in the quality, safety, and efficiency of healthcare through information and technology.

• Our work is centered around the 2020 Roadmap. The primary objective of the 2020 Roadmap is to craft a multi-stakeholder solution to enable coordinated efforts by public and private sector organizations to transform care delivery through data exchange and health IT.

4

Roadmap to Transforming Care

RESEARCH

Information Gathering, Surveys,

Interviews

CONVENE

- Exec Roundtables, Committees, Webinars,

Workgroups

OUTPUTS & RECOMMEND

ATIONS

Guidance, Education, Reports

5

eHealth - Convening Executives to Research & Identify Best Practices

6

• Data Analytics

• Data Access and Privacy

• Interoperability

• Patient and Provider Technology Adoption

This webinar was made possible through the generosity and support of AHIMA!

Meet the Speakers

Kathy DowningKatherine Downing, MA, RHIA,

CHPS, PMP, Senior Director, IGAdvisors®, American Health

Information Management Association (AHIMA)

Judi HofmanNorthwest Regional Privacy

Officer, Catholic Health Initiative

Barb Beckett, RHIT, CHPSSystems Privacy Officer, St.

Luke's Health System

© 2015© 2015

Advancing Privacy & Security Practices Through an Organization Wide Information Governance Program

Kathy Downing, MA, RHIA, CHPS, PMPSr. Director Information Governance AHIMA IGAdvisors™www.IGIQ.comTwitter: HIPAAqueen #IGNOW

© 2015© 2015

• Define information governance and discuss how it is used across industries

• Outline how the IG Principles of Compliance and Information Protection lay a framework for enterprise wide information governance

• Define how security and privacy officers extend their view and outlook to advance P/S efforts and information governance

Objectives

© 2015© 2015

• P&G

• MasterCard

• Motorola

• AutoTrader

• McKesson

• UBS

Information Governance –Not just HealthCare

© 2015© 2015

2015 IGI Annual Report

IGI Annual Report 2015 is available at: www.Iginitiative.com

© 2015© 2015

People

• Coordinating Care / Cost of Care / Quality of Care

• Patient Engagement

• Managing Patient Populations

Process

• Regulatory Compliance

• Managing Switch to Value Based Reimbursement

• Reducing Hospital Acquired Conditions

• Mergers and Acquisitions

Technology

• Managing Data

• Improving Information Security

• Trusted data exchange

Why Information Governance is Important

© 2015© 2015

Healthcare Organizations are Succeeding On the Road to

Information Governance

© 2015© 2015

© 2015© 2015

Robert F. SmallwoodInformation Governance Concepts, Strategies, and Best Practices

© 2015

© 2015© 2015

Information Governance

© 2015

What is Information Governance?

• All types of healthcare organizations

• All sources of information

• All formats of information

• All types of media

© 2015© 2015

IG Structure

Strategic Alignment

Privacy & Security

Legal and Regulatory

Data Governance

IT Governance

Analytics

IG Performance

Enterprise Info Mgnt

Awareness & Adherence

AHIMA’s Information Governance Adoption Model Competencies

(IGAM)™

AHIMA Information Governance Adoption Model (IGAM™) Competencies

© 2017 AHIMA

© 2017 AHIMA

© 2017 AHIMA© 2017 AHIMA© 2017 AHIMA

© 2015© 2015

Appropriate levels of protection

from breach, corruption and loss

must be provided for information

that is private, confidential,

secret, classified, essential to

business continuity, or otherwise

requires protection...

IG Principle of Protection

AHIMA.ORG/INFOGOV

Must address all sources, all media and

must apply throughout the life of the

information.

© 2015

Information practices and

processes must comply with

organization policies and all

applicable laws, regulations,

and standards.

Compliance

© 2015© 2015

• New Role or Included in an Established Role

– Focused on the business benefits of the organization’s information

– Sits in the business, but has a solid understanding of data technology and information architecture

– Involved in board-level discussions on strategy

– Owns and drives Information Strategy, Information Governance, Information Risk and Information Exploitation

Evolution of the IG Senior Leader – Chief Information Governance Officer (CIGO)

© 2015

© 2015

AHIMA IG Adoption Model TM

• Five-Level Model• Defines characteristics of governance practices at

advancing levels of maturity• Rooted in IG best practices, standards and

requirements• Introduces constructs of IG Organizational “Core

Competencies” that are enumerated by performance-driven “markers”

© 2015© 2015

© 2015

AHIMA IG Adoption Model TM

• Scalable framework for assessing IG adoption maturity

• Easily understood by multiple stakeholders• Brings value to the organization regardless of

starting assessment level• Creates a pathway of progressive performance

expectations to guide organizations through implementation of IG

© 2015

© 2015© 2015

• It’s a shift to a larger focus

– If your organization has a breach and patient information is not the target of the attack there is still reputational damage and local concern.

• IG creates enterprise wide effort to protect information, not just clinical information.

Information Governance – How could it help?

© 2015© 2015

• Many areas included in the IGAM relate to the responsibilities of the Privacy Officer– Information Asset Inventory

– Access Controls

– Breach Management

– Mobile Device Management

– Social Media Controls

– Enterprise wide training and awareness programs

– Compliance monitoring

– Business Continuity and Disaster Recovery

Information Governance & the Privacy Officer

© 2015© 2015

• Security Officers often focus efforts on:

– Clinical data

– Electronic data

• Expansion of the security officer’s role to Information Governance

– All data, all media, all locations, all types

– Involvement in business continuity and disaster recovery planning

– Involvement in access management

Security Roles and Information Governance

© 2015© 2015

• HIPAA data breaches climb 138 percent• Information on 4.9 million Tricare Management Activity

beneficiaries was stolen from a Science Applications International Corporation employee’s car in 2011.

• This year, Complete Health Systems, reported that a network server was hacked and personal information was stolen, affecting 4.5 million people around the country.

• Illinois-based Advocate Health and Hospital Corporation reported the theft of company computers, which impacted almost 4.03 million individuals in 2013.

• Health Net in California had a data breach in 2011 that affected 1.9 million people. In that case, IBM alerted Health Net that several unencrypted server hard drives were missing from a California-based data center.

Building a Case for IG - HIPAA Breaches Reach 30M Patients

© 2015© 2015

• HIPAA privacy rule 2003

• Privacy Officer, Privacy Official in Place

• Time to expand this role outside of clinical information.

• Enterprise wide standards

• Enterprise wide access

• Paper and electronic

Privacy Roles and Information Governance

© 2015© 2015

• Consider the insider threat

• Malicious

• Accidental

• Solution

– Trust and policy are not enough.

– Organizations must invest in security, risk, and information governance training and enforcement.

Privacy and SecurityThe Insider Threat

© 2015© 2015

• Discover and classify sensitive data – and uncover compliance risks – automatically

• Know who is accessing data, spot anomalies, and stop data loss with real-time data, application, and file activity monitoring

• Rapidly analyze data usage patterns to uncover and remediate risks

Where Does Information Governance Start?Analyze sensitive data:

© 2015© 2015

• How will you effectively know what the risks are to your information?

• How will you adequately determine if controls are implemented and appropriate?

• How will management and stakeholders make informed decisions?

• How will you establish an acceptable level of risk?

Risk Assessment and Information Governance

© 2015© 2015

• Information Governance for mobile computing can include building security into the mobile applications.

• Are your nurses texting your physicians?

• How are they identifying patients?

• Do you offer encrypted texting options?

Information Governance for Mobile Devices

© 2015© 2015

• Requires a cross functional IG team• Clarify how mobile devices are being used

– EHR Access– Financial system access– Email

• Consider legal and compliance issues• Consider Mobile Device Management• Develop your Communications and Training

Plan• Update and Fine-Tune – this one can’t stay on

the shelf!

Information Governance Mobile Device Policy

© 2015

Mobile Devices: Tips to Protect and Secure Health Information

Use a password or other user authentication. Install and enable encryption.

Install and activate wiping and/or remote disabling.

Disable and do not install file- sharing applications.

Install and enable a firewall.

Install and enable security software.

Keep security software up to date.

Research mobile applications (apps) before downloading. Maintain physical control of your

mobile device.

Use adequate security to send or receive health information over public Wi-Fi networks.

Delete all stored health information before discarding or reusing the mobile device.

Use a password or other user authentication

Install or enable encryption

Install or activate wiping and/or remote disabling

Disable and do not install file-sharing applications

Install or enable a firewall

Install or enable security software

Mobile Devices: Tips to Protect and Secure Health Information

Use a password or other user authentication. Install and enable encryption.

Install and activate wiping and/or remote disabling.

Disable and do not install file- sharing applications.

Install and enable a firewall.

Install and enable security software.

Keep security software up to date.

Research mobile applications (apps) before downloading. Maintain physical control of your

mobile device.

Use adequate security to send or receive health information over public Wi-Fi networks.

Delete all stored health information before discarding or reusing the mobile device.

Keep security software up-to-date

Research mobile applications (apps) before downloading

Maintain physical control of your mobile device

Use VPNs to send or receive health information over public Wi-Fi networks

Delete all stored health information before discarding or reusing the mobile device

Ensure Minimum Security Requirements

Source: Office of National Coordinator

© 2015© 2015

Breach Management for all types of Risks:

• Gather all the facts of the potential breach

• Document specifically who, when, where, why and how the situation occurred

• Identify those impacted and what PHIinformation was potentially compromised

• Analyze & evaluate all the facts objectively to determine whether or not an impermissible access, use, or disclosure of PHI information can be substantiated.

Breach Investigation Process – not just for PHI

40

© 2015

Breach Response / Incident Management Team

• Chief Information Officer• Chief Information Security Officer• Chief Medical Information Officer• Corporate Compliance Officer• Director, Health Information & Privacy• Director, Internal Audit• Director, Office of Institutional Assurances• Director, Risk Management• General Counsel• Hospital President• SCRI President• Research Integrity Officer• VP Human Resources• VP Marketing & Communications• Leaders from affected departments

© 2015© 2015

• Not just Facebook!

• Web Publishing– Blogs, wikispaces

– microblogging (twitter)

• Social Networking – LinkedIn

• File Sharing / storage– Google drive

– Drop Box

– Photo libraries

Information Governance & Social Media

© 2015© 2015

• Lack of a Social Media Policy– Who can use social media

– What they can state / discuss

– Training is key

• Employees – accidental or intentional

• Legal Risks– This risk is avoidable with an information

governance policy, guidelines, monitoring

Biggest Risks of Social Media

© 2015© 2015

• Specifies authorized individuals• Clear distinctions between business and personal

use of social media and whether a person can use social media while at work.

• Strictly forbids any profanity, statements that could be defamatory, inflammatory,

• Outlines sanctions• Draws clear rules on use of company logos• Instructs employees shall not have an

expectation of privacy when using social media for company purposes.

• Outlines negative impact on brand.

IG Social Media Guideline Examples

© 2015© 2015

• In Gartner's report from March of 2013 on the "Six Questions to Drive Records Management in Your Social Initiatives," it is clearly stated that social media content requires records management, just like all other content, but many organizations don't know how to create an effective management process.

• In 2015, more organizations will look to incorporate social media content in their policy definition and explore methods on enforcing the policy across the various systems.

Social Media Will Be Governed According to Policy

© 2015© 2015

• Information is being created at a pace faster than organizations can analyze and extract value from it, which means that the potential value of the information may be far greater than the actual value an organization is able to derive.

• Organizations simply cannot afford to ignore the value of their information assets.

Information is an Organizational Asset

© 2015© 2015

• Formal IG Training

– New Employee

– Annual Training

• Awareness Program

• Monitoring and Accountability

• Regulatory and Legal Response

Workforce Awareness

© 2015© 2015

• Disaster Recovery Plan and Business Continuity Plans are part of the organizations overall emergency management plan.

• Tested Policies, Procedures, Systems

• Trained Staff

Business Continuity and Disaster Recovery –Key Components of Information Governance

© 2015© 2015

• Information assets inventory

• Information asset classification

• Total cost of ownership

• Managed inventory of information

• Patient information request response

• Performance measurements for IG Programs

Compliance Expanded for Information Governance

© 2015© 2015

© 2015© 2015

• Compliance +

• Privacy +

• Security=

• Chief Information Governance Officer

Wrap Up

© 2015

IGIQ.com – IG Tools and Resources

© 2015

IG Executive Training Video

© 2015© 2015

IG Executive Video

© 2015© 2015

IG Executive Training Video

© 2015© 2015

© 2015© 2015

© 2015

IG Products and Services for Excellence in Information Governance

© 2015© 2015

Resources and Recommended Reading

• AHIMA Information Governance Adoption Model for Healthcare©

• AHIMA www.IGHealthRate.com

• AHIMA www.IGAdvisors.com

• Information Governance Concepts, Strategies, and Best Practices, 2014. Robert F. Smallwood – available in AHIMA store

• Implementing Health Information Governance, 2015. Linda Kloss, MA, RHIA, FAHIMA – available in AHIMA store

• Images from www.images.google.com

• ARMA International. “Generally Accepted Recordkeeping Principles”.ARMA International, 2013. Available at www.arma.org

© 2015© 2015

• The Final HITECH Omnibus Rule (January 25, 2013)http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf

• Combined HIPAA/Omnibus Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html

• U.S. Department of Health and Human Services Office for Civil Rights: HIPAA Administrative Simplification - 45 CFR Parts 160, 162, and 164

• Information Governance, 2014. Robert F. Smallwood

Resources

60

© 2015

This webinar was made possible through the generosity and support of AHIMA!